The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count. Older CVEs, trivially exploitable vulnerabilities (such as using hard-coded credentials) and those affecting open source projects with very small userbases aren’t listed.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them.

CVE-2024-7399

• Severity: 7.5 HIGH
• Impacted Products: Samsung MagicINFO 9 Server version <= 21.1050
• Description: Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before (or equal to! see PoC Links - ed) 21.1050 allows attackers to write arbitrary file as system authority.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2024-7399
• PoC: https://ssd-disclosure.com/ssd-advisory-samsung-magicinfo-unauthenticated-rce/ and a Huntress blog showing this is still exploitable on the patched version: https://www.huntress.com/blog/rapid-response-samsung-magicinfo9-server-flaw

CVE-2025-45611

• Severity: 9.8 CRITICAL
• Impacted Products: hope-boot v1.0.0
• Description: Incorrect access control in the /user/edit/ component of hope-boot v1.0.0 allows attackers to bypass authentication via a crafted GET request.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-45611
• PoC: https://github.com/java-aodeng/hope-boot/issues/86

CVE-2025-45018

• Severity: 7.2 HIGH
• Impacted Products: PHPGurukul Park Ticketing Management System v2.0
• Description: A SQL Injection vulnerability was discovered in the foreigner-bwdates-reports-details.php file of PHPGurukul Park Ticketing Management System v2.0. This vulnerability allows remote attackers to execute arbitrary SQL code via the todate parameter.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-45018
• PoC: https://github.com/rtnthakur/CVE/blob/main/PHPGurukul/Park-Ticketing-Management-System-Project/SQL/SQl_Injection_in_was_foreigner-bwdates-reports-details.md

CVE-2025-44868

• Severity: 9.8 CRITICAL
• Impacted Products: Wavlink WL-WN530H4 20220801
• Description: Wavlink WL-WN530H4 20220801 was found to contain a command injection vulnerability in the ping_test function of the adm.cgi via the pingIp parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
• Remediation: Follow developer advice.
• More Info: NVD - CVE-2025-44868
• PoC: https://github.com/Summermu/VulnForIoT/blob/main/Wavlink_WL-WN530H4/ping_test/readme.md

References

This list was scraped from the quite amazing and highly recommended newsletters below:

• ~this week in security~
• Unsupervised Learning
• @RISK
• Hive Five
• Vulnerable U
• tl;dr sec

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.